From 2ded87c98401bf63e3adaaf4f9e0807738c97d65 Mon Sep 17 00:00:00 2001 From: lissav Date: Tue, 10 Feb 2009 19:48:29 +0000 Subject: [PATCH] These updates move the /install/postscripts/hostkeys private and public keys to reside in /etc/xcat/hostkeys directory. It will leave a copy of the public hostkeys in /install/postscripts/hostkeys git-svn-id: https://svn.code.sf.net/p/xcat/code/xcat-core/trunk@2714 8638fb3e-16cb-4fca-ae20-7b5d299a9bcd --- xCAT-server/lib/xcat/plugins/credentials.pm | 12 +- xCAT-server/lib/xcat/plugins/mknb.pm | 8 +- xCAT-server/sbin/xcatconfig | 297 ++++++++++++-------- xCAT/xCAT.spec | 32 ++- 4 files changed, 212 insertions(+), 137 deletions(-) diff --git a/xCAT-server/lib/xcat/plugins/credentials.pm b/xCAT-server/lib/xcat/plugins/credentials.pm index 32f239125..ecbb7c2fc 100644 --- a/xCAT-server/lib/xcat/plugins/credentials.pm +++ b/xCAT-server/lib/xcat/plugins/credentials.pm @@ -120,15 +120,15 @@ sub process_request } $tfilename = "/root/.xcat/client-cred.pem"; } elsif (/ssh_dsa_hostkey/) { - unless (-r "/install/postscripts/hostkeys/ssh_host_dsa_key") { - push @{$rsp->{'error'}},"Unable to read private DSA key from /install/postscripts/hostkeys"; + unless (-r "/etc/xcat/hostkeys/ssh_host_dsa_key") { + push @{$rsp->{'error'}},"Unable to read private DSA key from /etc/xcat/hostkeys"; } - $tfilename="/install/postscripts/hostkeys/ssh_host_dsa_key"; + $tfilename="/etc/xcat/hostkeys/ssh_host_dsa_key"; } elsif (/ssh_rsa_hostkey/) { - unless (-r "/install/postscripts/hostkeys/ssh_host_rsa_key") { - push @{$rsp->{'error'}},"Unable to read private RSA key from /install/postscripts/hostkeys"; + unless (-r "/etc/xcat/hostkeys/ssh_host_rsa_key") { + push @{$rsp->{'error'}},"Unable to read private RSA key from /etc/xcat/hostkeys"; } - $tfilename="/install/postscripts/hostkeys/ssh_host_rsa_key"; + $tfilename="/etc/xcat/hostkeys/ssh_host_rsa_key"; } elsif (/xcat_cfgloc/) { unless (-r "/etc/xcat/cfgloc") { push @{$rsp->{'error'}},"Unable to read xCAT database location"; diff --git a/xCAT-server/lib/xcat/plugins/mknb.pm b/xCAT-server/lib/xcat/plugins/mknb.pm index 4532b0255..ddd510043 100644 --- a/xCAT-server/lib/xcat/plugins/mknb.pm +++ b/xCAT-server/lib/xcat/plugins/mknb.pm @@ -80,10 +80,10 @@ sub process_request { chmod(0700,$tempdir."/root/.ssh"); copy("/root/.ssh/id_rsa.pub","$tempdir/root/.ssh/authorized_keys"); chmod(0600,"$tempdir/root/.ssh/authorized_keys"); - if (-r "$installdir/postscripts/hostkeys/ssh_host_key") { - copy("$installdir/postscripts/hostkeys/ssh_host_key","$tempdir/etc/ssh_host_key"); - copy("$installdir/postscripts/hostkeys/ssh_host_rsa_key","$tempdir/etc/ssh_host_rsa_key"); - copy("$installdir/postscripts/hostkeys/ssh_host_dsa_key","$tempdir/etc/ssh_host_dsa_key"); + if (-r "/etc/xcat/hostkeys/ssh_host_key") { + copy("/etc/xcat/hostkeys/ssh_host_key","$tempdir/etc/ssh_host_key"); + copy("/etc/xcat/hostkeys/ssh_host_rsa_key","$tempdir/etc/ssh_host_rsa_key"); + copy("/etc/xcat/hostkeys/ssh_host_dsa_key","$tempdir/etc/ssh_host_dsa_key"); chmod(0600,<$tempdir/etc/ssh_*>); } unless (-r "$tempdir/etc/ssh_host_key") { diff --git a/xCAT-server/sbin/xcatconfig b/xCAT-server/sbin/xcatconfig index ccf0ceca0..ee89fb7d5 100644 --- a/xCAT-server/sbin/xcatconfig +++ b/xCAT-server/sbin/xcatconfig @@ -67,6 +67,7 @@ else } chomp $::arch; chomp $::root; + # Make this system a management node my $cmd = "/bin/touch /etc/xCATMN"; my $outref = xCAT::Utils->runcmd("$cmd", 0); @@ -78,10 +79,12 @@ else { xCAT::MsgUtils->message('I', "Created /etc/xCATMN file.\n"); } -# Make sure service node file is not there -if (-f "/etc/xCATSN") { - my $cmd = "/bin/rm /etc/xCATSN"; - my $outref = xCAT::Utils->runcmd("$cmd", 0); + +# Make sure service node file is not there +if (-f "/etc/xCATSN") +{ + my $cmd = "/bin/rm /etc/xCATSN"; + my $outref = xCAT::Utils->runcmd("$cmd", 0); } # some Linux-only config @@ -210,51 +213,60 @@ if ($::osname eq 'Linux') # # Generate ssh keys # -if ((!-f "/install/postscripts/hostkeys/ssh_host_key") || $::FORCE) + +# create /etc/xcat/hostkeys and /install/postscripts/hostkeys +if (!-d "/install/postscripts/hostkeys") # directory for public keys +{ + my $cmd = "/bin/mkdir -p /install/postscripts/hostkeys"; + my $outref = xCAT::Utils->runcmd("$cmd", 0); + if ($::RUNCMD_RC != 0) + { + xCAT::MsgUtils->message('E', + "Could not create /install/postscripts/hostkeys directory.\n"); + } +} +if (!-d "/etc/xcat/hostkeys") # directory for public/private keys +{ + my $cmd = "/bin/mkdir -p /etc/xcat/hostkeys"; + my $outref = xCAT::Utils->runcmd("$cmd", 0); + if ($::RUNCMD_RC != 0) + { + xCAT::MsgUtils->message('E', + "Could not create /etc/xcat/hostkeys directory.\n"); + } +} + +if ($::FORCE) { - # create /install/postscripts/hostkeys if needed - if (!-d "/install/postscripts/hostkeys") + # remove the old keys + my $cmd = "/bin/rm /install/postscripts/hostkeys/ssh_host*"; + my $outref = xCAT::Utils->runcmd("$cmd", 0); + if ($::RUNCMD_RC != 0) { - my $cmd = "/bin/mkdir -p /install/postscripts/hostkeys"; - my $outref = xCAT::Utils->runcmd("$cmd", 0); - if ($::RUNCMD_RC != 0) - { - xCAT::MsgUtils->message('E', - "Could not create /install/postscripts/hostkeys directory.\n"); - } - else - { - xCAT::MsgUtils->message('I', - "Created /install/postscripts/hostkeys directory.\n"); - } + xCAT::MsgUtils->message( + 'I', + "Could not remove ssh keys from /install/postscripts/hostkeys directory. They may not exist.\n" + ); } - if ($::FORCE) + # remove the old keys + my $cmd = "/bin/rm /etc/xcat/hostkeys/ssh_host*"; + my $outref = xCAT::Utils->runcmd("$cmd", 0); + if ($::RUNCMD_RC != 0) { - - # remove the old keys - my $cmd = "/bin/rm /install/postscripts/hostkeys/ssh_host*"; - my $outref = xCAT::Utils->runcmd("$cmd", 0); - if ($::RUNCMD_RC != 0) - { - xCAT::MsgUtils->message( - 'E', - "Could not remove ssh keys from /install/postscripts/hostkeys directory.\n" - ); - } - else - { - xCAT::MsgUtils->message( - 'I', - "Removed ssh keys from /install/postscripts/hostkeys directory.\n" - ); - } + xCAT::MsgUtils->message( + 'I', + "Could not remove ssh keys from /etc/xcat/hostkeys directory. They may not exist.\n" + ); } + # + # generate new hostkeys + # xCAT::MsgUtils->message('I', "Generating SSH1 RSA Key...\n"); my $cmd = - "/usr/bin/ssh-keygen -t rsa1 -f /install/postscripts/hostkeys/ssh_host_key -C '' -N ''"; + "/usr/bin/ssh-keygen -t rsa1 -f /etc/xcat/hostkeys/ssh_host_key -C '' -N ''"; my $outref = xCAT::Utils->runcmd("$cmd", 0); if ($::RUNCMD_RC != 0) { @@ -263,7 +275,7 @@ if ((!-f "/install/postscripts/hostkeys/ssh_host_key") || $::FORCE) xCAT::MsgUtils->message('I', "Generating SSH2 RSA Key...\n"); my $cmd = - "/usr/bin/ssh-keygen -t rsa -f /install/postscripts/hostkeys/ssh_host_rsa_key -C '' -N ''"; + "/usr/bin/ssh-keygen -t rsa -f /etc/xcat/hostkeys/ssh_host_rsa_key -C '' -N ''"; my $outref = xCAT::Utils->runcmd("$cmd", 0); if ($::RUNCMD_RC != 0) { @@ -272,45 +284,97 @@ if ((!-f "/install/postscripts/hostkeys/ssh_host_key") || $::FORCE) xCAT::MsgUtils->message('I', "Generating SSH2 DSA Key...\n"); my $cmd = - "/usr/bin/ssh-keygen -t dsa -f /install/postscripts/hostkeys/ssh_host_dsa_key -C '' -N ''"; + "/usr/bin/ssh-keygen -t dsa -f /etc/xcat/hostkeys/ssh_host_dsa_key -C '' -N ''"; my $outref = xCAT::Utils->runcmd("$cmd", 0); if ($::RUNCMD_RC != 0) { xCAT::MsgUtils->message('E', "Could not generate SSH2 DSA key.\n"); } + + # copy the public keys to install directory + my $cmd = + "/bin/cp /etc/xcat/hostkeys/*.pub /install/postscripts/hostkeys/."; + my $outref = xCAT::Utils->runcmd("$cmd", 0); + if ($::RUNCMD_RC != 0) + { + xCAT::MsgUtils->message('E', "$cmd not successful.\n"); + } + else + { + xCAT::MsgUtils->message('I', "$cmd is successful\n"); + } } -else + +# +# move old keys if they exist, to the new directory and remove private keys +if (-f "/install/postscripts/hostkeys/ssh_host_key") { - xCAT::MsgUtils->message( - 'I', - "/install/postscripts/hostkeys directory exists, no keys generated. Use --force option to generate new keys.\n" - ); + + # copy all keys to /etc/xcat/hostkeys directory + my $cmd = "/bin/cp -p /install/postscripts/hostkeys/* /etc/xcat/hostkeys/."; + my $outref = xCAT::Utils->runcmd("$cmd", 0); + if ($::RUNCMD_RC != 0) + { + xCAT::MsgUtils->message('E', "$cmd not successful.\n"); + } + + # remove private keys from install dir + if (-f "/install/postscripts/hostkeys/ssh_host_dsa_key") + { + my $cmd = "/bin/rm /install/postscripts/hostkeys/ssh_host_dsa_key"; + my $outref = xCAT::Utils->runcmd("$cmd", 0); + if ($::RUNCMD_RC != 0) + { + xCAT::MsgUtils->message('E', "$cmd not successful.\n"); + } + } + if (-f "/install/postscripts/hostkeys/ssh_host_key") + { + my $cmd = "/bin/rm /install/postscripts/hostkeys/ssh_host_key"; + my $outref = xCAT::Utils->runcmd("$cmd", 0); + if ($::RUNCMD_RC != 0) + { + xCAT::MsgUtils->message('E', "$cmd not successful.\n"); + } + } + if (-f "/install/postscripts/hostkeys/ssh_host_rsa_key") + { + my $cmd = "/bin/rm /install/postscripts/hostkeys/ssh_host_rsa_key"; + my $outref = xCAT::Utils->runcmd("$cmd", 0); + if ($::RUNCMD_RC != 0) + { + xCAT::MsgUtils->message('E', "$cmd not successful.\n"); + } + } } # # move old directories if they exist if (-d "/install/postscripts/.ssh") { - my $cmd = "/bin/mv /install/postscripts/.ssh /install/postscripts/_ssh"; + my $cmd = "/bin/mv /install/postscripts/.ssh/* /install/postscripts/_ssh/."; my $outref = xCAT::Utils->runcmd("$cmd", -1); - # if ($::RUNCMD_RC != 0) - # { + my $cmd = "/bin/rmdir /install/postscripts/.ssh"; + my $outref = xCAT::Utils->runcmd("$cmd", -1); + + # if ($::RUNCMD_RC != 0) + # { # xCAT::MsgUtils->message( - # 'E', - # "Could not move /install/postscripts/.ssh directory to /install/postscripts/_ssh.\n" - # ); - # } - # else - # { + # 'E', + # "Could not move /install/postscripts/.ssh directory to /install/postscripts/_ssh.\n" + # ); + # } + # else + # { # xCAT::MsgUtils->message( # 'I', - # "Moved /install/postscripts/.ssh directory to /install/postscripts/_ssh.\n" + # "Moved /install/postscripts/.ssh directory to /install/postscripts/_ssh.\n" # ); - # } + # } } if (-d "/install/postscripts/.xcat") { - my $cmd = "/bin/mv /install/postscripts/.xcat /install/postscripts/_xcat"; + my $cmd = "/bin/mv /install/postscripts/.xcat/* /install/postscripts/_xcat/."; my $outref = xCAT::Utils->runcmd("$cmd", 0); if ($::RUNCMD_RC != 0) { @@ -319,13 +383,8 @@ if (-d "/install/postscripts/.xcat") "Could not move /install/postscripts/.xcat directory to /install/postscripts/_xcat.\n" ); } - else - { - xCAT::MsgUtils->message( - 'I', - "Moved /install/postscripts/.xcat directory to /install/postscripts/_xcat.\n" - ); - } + my $cmd = "/bin/rmdir /install/postscripts/.xcat"; + my $outref = xCAT::Utils->runcmd("$cmd", -1); } # @@ -413,7 +472,7 @@ if (!-d "/install/postscripts/_ssh") } # -# Generate id_rsa.pub, if it does not exist or the force option +# Generate id_rsa.pub, if it does not exist or the force option # my $pubfile = "$::root/.ssh/id_rsa.pub"; my $rsafile = "$::root/.ssh/id_rsa"; @@ -450,47 +509,51 @@ if ((!-r $pubfile) || $::FORCE) { xCAT::MsgUtils->message('I', "Generated $pubfile.\n"); - if ($::osname eq 'AIX') - { - # allows node be able to scp to the MN only for AIX - my $cmd = "/bin/cat $pubfile >> /.ssh/authorized_keys"; - my $outref = xCAT::Utils->runcmd("$cmd", 0); - if ($::RUNCMD_RC != 0) - { - xCAT::MsgUtils->message('E', + if ($::osname eq 'AIX') + { + + # allows node be able to scp to the MN only for AIX + my $cmd = "/bin/cat $pubfile >> /.ssh/authorized_keys"; + my $outref = xCAT::Utils->runcmd("$cmd", 0); + if ($::RUNCMD_RC != 0) + { + xCAT::MsgUtils->message('E', "Could not cat $pubfile to /.ssh/authorized_keys.\n"); - } - else - { - xCAT::MsgUtils->message('I', + } + else + { + xCAT::MsgUtils->message('I', "Added $pubfile to /.ssh/authorized_keys.\n"); - chmod 0600, "/.ssh/authorized_keys"; - } - } + chmod 0600, "/.ssh/authorized_keys"; + } + } } } + # copy authorized_keys for install on node -if (-r $pubfile) { - my $cmd = "/bin/cp $pubfile /install/postscripts/_ssh/authorized_keys"; - my $outref = xCAT::Utils->runcmd("$cmd", 0); - if ($::RUNCMD_RC != 0) - { - xCAT::MsgUtils->message( - 'E', - "Could not copy $pubfile to /install/postscripts/_ssh/authorized_keys.\n" - ); - } - else - { - xCAT::MsgUtils->message( - 'I', - "Copied $pubfile to /install/postscripts/_ssh/authorized_keys.\n" - ); - } -} else { - xCAT::MsgUtils->message( 'E', - "Could not copy $pubfile to /install/postscripts/_ssh/authorized_keys,because $pubfile does not exist.\n" - ); +if (-r $pubfile) +{ + my $cmd = "/bin/cp $pubfile /install/postscripts/_ssh/authorized_keys"; + my $outref = xCAT::Utils->runcmd("$cmd", 0); + if ($::RUNCMD_RC != 0) + { + xCAT::MsgUtils->message( + 'E', + "Could not copy $pubfile to /install/postscripts/_ssh/authorized_keys.\n" + ); + } + else + { + xCAT::MsgUtils->message('I', + "Copied $pubfile to /install/postscripts/_ssh/authorized_keys.\n"); + } +} +else +{ + xCAT::MsgUtils->message( + 'E', + "Could not copy $pubfile to /install/postscripts/_ssh/authorized_keys,because $pubfile does not exist.\n" + ); } # @@ -655,8 +718,7 @@ if ((!-r "/etc/xcat/site.sqlite") || $::FORCE) } if ($::osname eq 'AIX') { - $chtabcmds .= - "$::XCATROOT/sbin/chtab key=useSSHonAIX site.value=no;"; + $chtabcmds .= "$::XCATROOT/sbin/chtab key=useSSHonAIX site.value=no;"; $chtabcmds .= "$::XCATROOT/sbin/chtab key=consoleondemand site.value=yes;"; } @@ -672,19 +734,19 @@ if ((!-r "/etc/xcat/site.sqlite") || $::FORCE) } } -# create default postscript list in postscripts table +# create default postscript list in postscripts table if ((!-r "/etc/xcat/postscripts.sqlite") || $::FORCE) { my $chtabcmds; if ($::osname eq 'AIX') { - $chtabcmds = - "$::XCATROOT/sbin/chtab node=xcatdefaults postscripts.postscripts='syslog,aixremoteshell';"; + $chtabcmds = + "$::XCATROOT/sbin/chtab node=xcatdefaults postscripts.postscripts='syslog,aixremoteshell';"; } else { - $chtabcmds = - "$::XCATROOT/sbin/chtab node=xcatdefaults postscripts.postscripts='syslog,remoteshell';"; + $chtabcmds = + "$::XCATROOT/sbin/chtab node=xcatdefaults postscripts.postscripts='syslog,remoteshell';"; } $chtabcmds .= @@ -816,12 +878,12 @@ my $outref = xCAT::Utils->runcmd("$cmd", 0); if ($::RUNCMD_RC != 0) { xCAT::MsgUtils->message('E', - "Could not create /install/postscripts/ca/certs directory.\n"); + "Could not create /install/postscripts/ca/certs directory.\n"); } else { xCAT::MsgUtils->message('I', - "Created /install/postscripts/ca/certs directory.\n"); + "Created /install/postscripts/ca/certs directory.\n"); } my $cmd = "/bin/cp -r /etc/xcat/ca/* /install/postscripts/ca"; my $outref = xCAT::Utils->runcmd("$cmd", 0); @@ -943,12 +1005,12 @@ if ($::RUNCMD_RC != 0) } else { - xCAT::MsgUtils->message('I', - "Copied /etc/xcat/ca/certs* to /install/postscripts/ca/certs directory.\n"); + xCAT::MsgUtils->message( + 'I', + "Copied /etc/xcat/ca/certs* to /install/postscripts/ca/certs directory.\n" + ); } - - # # if there are xcatd processes then stop them # @@ -1001,8 +1063,9 @@ if ($::RUNCMD_RC != 0) # for AIX systems add xcatd to the /etc/inittab file if ($::osname eq 'AIX') { - my $mkitab_cmd = 'mkitab "xcatd:2:once:/opt/xcat/sbin/xcatd > /dev/console 2>&1" > /dev/null 2>&1'; - my $rc = system($mkitab_cmd); + my $mkitab_cmd = + 'mkitab "xcatd:2:once:/opt/xcat/sbin/xcatd > /dev/console 2>&1" > /dev/null 2>&1'; + my $rc = system($mkitab_cmd); } # more - Linux-only config diff --git a/xCAT/xCAT.spec b/xCAT/xCAT.spec index 1215b936a..226be71d2 100644 --- a/xCAT/xCAT.spec +++ b/xCAT/xCAT.spec @@ -72,6 +72,7 @@ rm postscripts.tar rm LICENSE.html mkdir -p postscripts/hostkeys +mkdir -p /etc/xcat/hostkeys cd - cp %{SOURCE1} $RPM_BUILD_ROOT/etc/apache2/conf.d/xcat.conf cp %{SOURCE1} $RPM_BUILD_ROOT/etc/httpd/conf.d/xcat.conf @@ -104,20 +105,31 @@ if [ ! -d /var/ftp/tftpboot ]; then echo "/tftpboot /var/ftp/tftpboot none bind,defaults 0 0" >> /etc/fstab mount /var/ftp/tftpboot fi - -if [ ! -f /install/postscripts/hostkeys/ssh_host_key ]; then - echo Generating SSH1 RSA Key... - /usr/bin/ssh-keygen -t rsa1 -f /install/postscripts/hostkeys/ssh_host_key -C '' -N '' - echo Generating SSH2 RSA Key... - /usr/bin/ssh-keygen -t rsa -f /install/postscripts/hostkeys/ssh_host_rsa_key -C '' -N '' - echo Generating SSH2 DSA Key... - /usr/bin/ssh-keygen -t dsa -f /install/postscripts/hostkeys/ssh_host_dsa_key -C '' -N '' +# never generated the keys +if [ ! -f /install/postscripts/hostkeys/ssh_host_key.pub ]; then + echo Generating SSH1 RSA Key... + /usr/bin/ssh-keygen -t rsa1 -f /etc/xcat/hostkeys/ssh_host_key -C '' -N '' + echo Generating SSH2 RSA Key... + /usr/bin/ssh-keygen -t rsa -f /etc/xcat/hostkeys/ssh_host_rsa_key -C '' -N '' + echo Generating SSH2 DSA Key... + /usr/bin/ssh-keygen -t dsa -f /etc/xcat/hostkeys/ssh_host_dsa_key -C '' -N '' + /bin/cp /etc/xcat/hostkeys/ssh_host*.pub /install/postscripts/hostkeys/ +fi +# generated the keys before, still have private keys in install +# copy all to the new private directory and then remove private keys +if [ -f /install/postscripts/hostkeys/ssh_host_key ]; then + /bin/cp /install/postscripts/hostkeys/* /etc/xcat/hostkeys/. + /bin/rm /install/postscripts/hostkeys/ssh_host_dsa_key + /bin/rm /install/postscripts/hostkeys/ssh_host_rsa_key + /bin/rm /install/postscripts/hostkeys/ssh_host_key fi if [ -d /install/postscripts/.ssh ]; then - mv /install/postscripts/.ssh /install/postscripts/_ssh + /bin/mv /install/postscripts/.ssh/* /install/postscripts/_ssh/. + rmdir /install/postscripts/.ssh fi if [ -d /install/postscripts/.xcat ]; then - mv /install/postscripts/.xcat /install/postscripts/_xcat + /bin/mv /install/postscripts/.xcat/* /install/postscripts/_xcat/. + rmdir /install/postscripts/.xcat fi chkconfig vsftpd on /etc/init.d/vsftpd start